ClawHub

Genor-Comfy-Gate

Security checks across malware telemetry and agentic risk

Overview

This is a real ComfyUI gateway, but it exposes powerful service-control and workflow-mutation features with weak scoping and under-disclosed persistence risks.

Install only if you intend to run a persistent local ComfyUI gateway and can restrict it to trusted users. Set a strong GCG_API_KEY/API_KEY before exposing it, bind or firewall the service to localhost/private networks, review the MCP tools before connecting an agent, and treat generated media links and sidecar metadata as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill presents itself as a reference document, but it also includes operational details such as install steps, shell execution, auth/header information, local filesystem paths, and service management. That mismatch increases the chance an agent will use it as an action-oriented runbook and expose or misuse privileged local capabilities beyond the expected documentation scope.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The top-level description advertises general multimodal generation, but later sections document explicit NSFW/hentai workflows and genital-focused processing pipelines that materially change the risk profile. This hidden capability can cause an agent to generate or handle sensitive sexual content without clear disclosure, policy gating, or user awareness.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill documents one-time media access tokens that allow file retrieval without an API key, but gives no strong justification, constraints, or safeguards for their use. In a generic documentation skill, this expands access semantics and may enable unintended sharing of generated media through bearer-style links.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Including install-time shell execution and PM2 management instructions in a reference-oriented skill broadens it into an operational control surface. Agents following the document may run local commands or alter services in contexts where only informational guidance was expected.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The MCP endpoint exposes a restart tool that invokes `pm2 restart` on the gateway process, which is an administrative action unrelated to ordinary workflow discovery or generation. If the MCP surface is reachable by untrusted users or LLM agents, it enables trivial denial of service and unauthorized operational control over the service.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The MCP handler allows callers to upload arbitrary workflow JSON and persistently register it, expanding the attack surface from generation to remote configuration/state modification. In an agent-exposed context, this can be abused to implant malicious or harmful workflows, overwrite service behavior, consume resources, or create persistence for later exploitation.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The `/workflows`, `/workflows/:id`, and `/workflows/:id/preview` routes are exposed without `auth`, allowing any unauthenticated caller to enumerate available workflows, retrieve workflow definitions, and inspect preview schemas. In this gateway context, those endpoints reveal internal capability and configuration details that can help an attacker map the system and craft targeted requests against authenticated generation or admin functionality.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The media-once endpoint is explicitly documented as requiring no API key, but the skill does not warn about the security implications of bearer-token exposure, replay risk, or accidental sharing. This can lead to unauthorized access to generated media if tokens leak through logs, prompts, browser history, or chat transcripts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document states that generated files are stored with metadata sidecars, but does not warn that prompts, lyrics, and other potentially sensitive user content may persist on disk. This creates privacy and retention risks, especially for personal, copyrighted, or explicit content that users may assume is ephemeral.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installer makes persistent system-level changes by globally installing PM2 and registering a managed service, but it does so without clearly warning the user or requesting confirmation. That behavior is risky because running the script implicitly alters the host environment and creates a background process, which can surprise users and increase the blast radius if the package or configuration is later found to be unsafe.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The unauthenticated workflow listing endpoint leaks registry metadata to any remote user, including workflow IDs, types, extensions, titles, and descriptions. While this is primarily information disclosure, it lowers the bar for reconnaissance and makes subsequent abuse of other endpoints easier.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow JSON write endpoint is authenticated, but it accepts arbitrary request bodies and writes them to workflow files via `saveWorkflowJsonFile`, creating a high-risk configuration tampering surface. If a valid API key is leaked or overprivileged users exist, attackers can modify workflow definitions and potentially alter downstream processing, persistence behavior, or resource consumption.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal